[Snort-sigs] IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow

Yew Chuan Ong yewchuan88 at ...2420...
Sun Mar 25 16:54:30 EDT 2012


Thanks.
One question, it is normal to see packet with size greater than 668 bytes?
Is it the only indicator?

On Mon, Mar 26, 2012 at 5:53 AM, rmkml <rmkml at ...174...> wrote:

> Hi,
> Your revision on this rule are correct, but you don't have flowbits on
> this rule: strange ?
> Please add this flowbits:  flowbits:isset,qualcom.**worldmail.ok;
> Regards
> Rmkml
>
>
>
> On Mon, 26 Mar 2012, Yew Chuan Ong wrote:
>
>  Hye guys,
>> I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP
>> Literal Token Parsing Buffer Overflow.
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm
>> WorldMail IMAP
>> Literal Token Parsing Buffer Overflow"; flow:established,to_server;
>> dsize:>668;
>> metadata:policy balanced-ips drop, policy security-ips drop, service
>> imap; refer
>> ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin;
>> sid:1732
>> 8; rev:1;)
>> When I checked on the payloads, these are just normal email contents (not
>> suspicious). I am wondering why the packet size is more than 668 bytes if
>> it is not a real buffer overflow attempt. Any ideas?
>> Thanks.
>> Regards
>> Yew Chuan
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120326/4f78330b/attachment.html>


More information about the Snort-sigs mailing list